If WhatsApp can be hacked, what hope for privacy online?
- It is not the first time software vulnerability has been exploited by hackers
- Users may consider protecting themselves by taking extra security measures
“Not again” might have been the first thought of millions of people around the world last week when WhatsApp was compromised.
It wasn’t the first time that software vulnerabilities have been exposed but, more to the point, WhatsApp is known for its high-level security and privacy. If even that app can be hacked, who, or what, can users trust?
Security experts have played down the threat. Only a small number of people were affected and WhatsApp, owned by Facebook, quickly issued a patch that fixed the problem.
Scott Storey, a senior lecturer in cybersecurity at Britain’s Sheffield Hallam University, said that, for the average end user, “it's not something to really worry about: this isn't someone trying to steal private messages or personal details”.
“WhatsApp themselves have advised this was a targeted surveillance attack,” Storey said. “To install the surveillance software, users will have had to receive a phone call from a number they do not know. If you haven’t received one, you haven’t been targeted.” So, for the vast majority of users, their data has not been compromised.
Everyone’s risk tolerance is different and there are security/convenience trade-offs
Tobias Boelter is a security engineer at Google who spoke in a private capacity. He points out there are always vulnerabilities in software. “There was an arguably equally devastating vulnerability in Windows just today,” Boelter said, speaking from California last Wednesday. “Those just get reported less often in the mainstream media.”
It’s not the vulnerability that is the problem, but more when that vulnerability is exploited. “When there is a vulnerability and someone goes and targets a person or group of people and compromises (or on-sells) their private information, instead of responsibly disclosing it to the vendor,” he said.
The right thing
When it comes to protecting the content of messages, Boelter believes the WhatsApp team “is fundamentally trying to do the right thing” while having to make usability trade-offs to accommodate their large user base.
However, he concedes that it’s less clear what WhatsApp does with a user’s metadata, the details such as their contact list, social graph and information on who you talk to, when, and for how long.
E2E encryption removes the largest threat surface: the provider getting breached
As to how users can protect themselves, Boelter says the biggest consideration should be whether a messaging app supports end-to-end (E2E) encryption. E2E encryption scrambles messages in such a way that only the intended recipient can unscramble them, so neither the service provider nor third parties can read or listen to the content – unless the phone itself is hacked, which happened in the recent WhatsApp case.
“E2E encryption removes the largest threat surface: the provider getting breached,” says Boelter.
Threat surface is also known as the attack surface, and either term refers to the sum of all the different points in a system an attacker could try to exploit. Boelter likens this to a house with two windows and a door being less secure against a burglar than a house with just a door.
“There are different E2E encryption algorithms where some are better than others, but if E2E is supported that is probably the single most important indicator of how serious a company is about protecting their user’s messages.”
Messaging software that doesn’t have E2E encryption includes Facebook Messenger (by default), E-Mail, WeChat, Line (by default), Slack and Twitter direct messages, Boelter said. Software that supports E2E encryption includes Signal, Wire, WhatsApp and iMessage.
Personal risk factors
Should messenger app users – including WhatsApp’s 1.6 billion subscribers – be worried about this latest breach? Boelter says that’s up to individuals to decide for themselves.
“Everyone’s risk tolerance is different and there are security/convenience trade-offs,” he said. “Someone may choose to back up their chat history to a cloud provider to preserve it if they lose their phone. But this would also allow the government and everyone who can compromise the cloud provider or the cloud account to access the entire chat history.”
All technology has its risks. It’s important that people recognise this and consider this when deciding how to communicate
The best way users can protect themselves, apart from E2E encryption, is to always install security updates as soon as they become available, and avoid manufacturers that don't provide timely security patches or no patches at all. “The WhatsApp case just illustrates how important this is,” Boelter said.
Boelter says he uses Signal – a messaging system that includes E2E encryption and promises not to use its users’ metadata – and many of his friends are as well. Of the more widely used apps, Boelter says he would “still recommend WhatsApp”.
Splendid isolation
Storey says there is no such thing as perfect security “unless you cut yourself off from the world and don’t use your phone, tablet or computer”.
“All technology has its risks,” he says. “It’s important that people recognise this and consider this when deciding how to communicate.
“For example, I use WhatsApp myself to speak with friends, family and colleagues. We talk about the sort of things everyone talks about, arranging trips to the cinema together, checking how everyone is and sharing jokes. If somebody gained access to these, the impact wouldn’t be that significant to my privacy. Someone might know I’m planning to go to the cinema, but my friends have probably already shared that information by checking in on Facebook or Instagram.”
E2E encryption reduces the likelihood of a security breach and most people would consider this level of security good enough – most of the time.
“If you are communicating something more sensitive and important to yourself, say you are starting a new job and need to send a copy of your passport, you could add an extra layer of security by putting a password on the file as well as using E2E encryption,” says Storey.
Safety updates
Apart from securing communications, people should follow general good security practices day to day, Storey advises.
“Keep your devices patched and up-to-date, use strong unique passwords for each site, and use MFA/2FA (multi-factor authentication/two-factor authentication) where available. The site twofactorauth.org is a great source of information,” he says.
“It’s also a good idea to check the site haveibeenpwned.com to see if your email address has been involved in a breach. If it has, make sure you change the password for that site and any other sites that use the same password.”
Boelter adds that it’s certainly worth having a broader discussion about whether governments should be allowed to conduct the kind of hacking exposed in the latest WhatsApp incident “and more importantly, whether governments should be allowed to keep those vulnerabilities secret”.
“They have an obligation to protect their citizens by disclosing and fixing those vulnerabilities at the same time as they want to target certain enemies,” he said.